← Back to Explore
sigmalowHunting
MaxMpxCt Registry Value Changed
Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
Detection Query
selection:
TargetObject|endswith: \Services\LanmanServer\Parameters\MaxMpxCt
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2024-03-19
Data Sources
windowsRegistry Set Events
Platforms
windows
References
- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
- https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
Tags
attack.defense-evasionattack.t1070.005
Raw Content
title: MaxMpxCt Registry Value Changed
id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e
status: test
description: |
Detects changes to the "MaxMpxCt" registry value.
MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
references:
- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
- https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-19
tags:
- attack.defense-evasion
- attack.t1070.005
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt'
condition: selection
falsepositives:
- Unknown
level: low